Authorization beyond IdPs: where access control starts to break

TL;DR: Authentication platforms handle login well, but they often stop short at fine-grained access decisions, runtime context, tenant-specific policy, and auditability, according to Cerbos and referenced standards such as NIST SP 800-162. The real governance gap is that access models built for static roles and token claims do not scale cleanly as applications, tenants, and compliance demands multiply.

NHIMG editorial — based on content published by Cerbos: Why your IdP isn't enough for authorization

By the numbers:

• Broken access control has been the number one vulnerability in the OWASP Top 10 since 2021.
• The average data breach cost $4.88 million in 2024.
• 19% of their weekly hours on security-related tasks., ty-related tasks.

Questions worth separating out

Q: How should security teams implement externalized authorization in existing applications?

A: Start with one application that already has visible permission complexity, then move its access rules into a central policy layer.

Q: When does role-based access control stop being enough for IAM governance?

A: RBAC stops being enough when access depends on resource attributes, tenant boundaries, environment, or time, rather than a small set of static roles.

Q: What do teams get wrong about authorization logging and audits?

A: Teams often log authentication events and assume that is sufficient evidence.

Practitioner guidance

• Separate authentication from authorization ownership Assign a distinct control owner for access decisions, policy changes, and audit evidence.
• Externalise context-dependent access rules Move rules that depend on resource sensitivity, tenant scope, time, or request context into a central policy layer.
• Require decision trails for every deny and allow Log the principal, action, resource, policy version, and evaluated attributes for each authorization decision.

What's in the full article

Cerbos' full post covers the operational detail this post intentionally leaves for the source:

• Nine evaluation dimensions for choosing an authorization layer in a production stack
• Practical guidance on latency, deployment models, and sidecar-style enforcement
• Audit logging requirements for reconstructing allow and deny decisions in compliance reviews
• Build-vs-buy considerations for teams comparing internal policy code with externalized authorization

👉 Read Cerbos' analysis of why externalized authorization matters beyond IdPs →

Authorization beyond IdPs: where access control starts to break?

Explore further

View Full Forum →  |  NHI Foundation Course →